Description
GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
Published: 2026-06-03
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GLPI, an asset and IT management tool, contains a flaw that lets a technician delete any file the web server can write. The vulnerability stems from insufficient access control, allowing unauthorized file system modifications. This can compromise data integrity and availability on the affected server. The weakness is identified as CWE-862: Permissions or Access Controls.

Affected Systems

Affected versions include GLPI releases from 0.78 through 9.9, and the issue persists in the 10.x and 11.x branches before versions 10.0.25 and 11.0.7 respectively. The product is provided by glpi-project:glpi.

Risk and Exploitability

The flaw carries a CVSS score of 7, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Technicians with local update privileges on the web server can execute the attack directly via the GLPI web interface, making exploitation straightforward if the attacker acquires a technician account.

Generated by OpenCVE AI on June 3, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 10.0.25 or newer, or 11.0.7 or newer, where the deletion flaw is fixed.
  • Restrict the web server’s file write permissions so that it can only modify the directories required by GLPI, eliminating write access to arbitrary locations.
  • Limit technician account privileges to the minimum required for their tasks and disable file‑deletion functionality for any account that does not need it.

Generated by OpenCVE AI on June 3, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Wed, 03 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
Title GLPI vulnerable to arbitrary files deletion by technician
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T14:14:04.768Z

Reserved: 2026-04-26T12:37:18.170Z

Link: CVE-2026-42317

cve-icon Vulnrichment

Updated: 2026-06-04T14:14:00.117Z

cve-icon NVD

Status : Deferred

Published: 2026-06-03T16:16:29.530

Modified: 2026-06-04T15:41:35.193

Link: CVE-2026-42317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T18:00:07Z

Weaknesses